1 files changed, 15 insertions, 8 deletions

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index f0ea3d24..5a6d2c4e 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -1,6 +1,13 @@
 table inet filter {
   limit lim_reject {
-    rate over 1000 / second burst 1000 packets
+    rate over 1000/second burst 1000 packets
+  }
+
+  limit lim_icmp_local {
+    rate 10 mbytes/second burst 10 mbytes
+  }
+  limit lim_icmp_dsl {
+    rate 1 mbytes/second burst 1 mbytes
   }
 
 
@@ -12,12 +19,13 @@ table inet filter {
     ct state invalid log prefix "drop invalid forward: " counter drop
 
 
+    iifname lo counter accept
+
     iifname eno1 oifname dsl counter accept
     iifname dsl oifname eno1 ct state {established, related} counter accept
 
-    meta l4proto ipv6-icmp counter accept
-    meta l4proto icmp counter accept
-    meta l4proto igmp counter accept
+    oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local accept
+    oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl accept
 
 
     limit name lim_reject log prefix "drop forward: " counter drop
@@ -47,11 +55,10 @@ table inet filter {
     meta protocol ip udp dport 51820 counter accept
     udp dport 60000-61000 counter accept
 
-    iifname "dsl" meta protocol ip6 udp dport 546 udp sport 547 counter accept
+    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
 
-    meta l4proto ipv6-icmp counter accept
-    meta l4proto icmp counter accept
-    meta l4proto igmp counter accept
+    iifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
+    iifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
 
 
     limit name lim_reject log prefix "drop input: " counter drop